Update dependency jsonwebtoken to v9 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
jsonwebtoken	^8.0.0 → ^9.0.0

---

jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()

CVE-2022-23540 / GHSA-qwph-4952-7xr6

More information

Details

Overview

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification.

Am I affected?

You will be affected if all the following are true in the jwt.verify() function:

• a token with no signature is received
• no algorithms are specified
• a falsy (e.g. null, false, undefined) secret or key is passed

How do I fix it?

Update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method.

Will the fix impact my users?

There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

Severity

• CVSS Score: 6.4 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L

References

• https://github.com/auth0/node-jsonwebtoken/security/advisories/GHSA-qwph-4952-7xr6
• https://github.com/auth0/node-jsonwebtoken/commit/e1fa9dcc12054a8681db4e6373da1b30cf7016e3
• https://nvd.nist.gov/vuln/detail/CVE-2022-23540
• https://security.netapp.com/advisory/ntap-20240621-0007
• https://github.com/advisories/GHSA-qwph-4952-7xr6

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

auth0/node-jsonwebtoken (jsonwebtoken)

v9.0.0

Compare Source

Breaking changes: See Migration from v8 to v9

Breaking changes

• Removed support for Node versions 11 and below.
• The verify() function no longer accepts unsigned tokens by default. ([8345030]8345030)
• RSA key size must be 2048 bits or greater. ([ecdf6cc]ecdf6cc)
• Key types must be valid for the signing / verification algorithm

Security fixes

• security: fixes Arbitrary File Write via verify function - CVE-2022-23529
• security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
• security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
• security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

v8.5.1

Compare Source

Bug fix

• fix: ensure correct PS signing and verification (#​585) (e5874ae428ffc0465e6bd4e660f89f78b56a74a6), closes #​585

Docs

• README: fix markdown for algorithms table (84e03ef70f9c44a3aef95a1dc122c8238854f683)

v8.5.0

Compare Source

New Functionality

• feat: add PS JWA support for applicable node versions (#​573) (eefb9d9c6eec54718fa6e41306bda84788df7bec), closes #​573
• Add complete option in jwt.verify (#​522) (8737789dd330cf9e7870f4df97fd52479adbac22), closes #​522

Test Improvements

• Add tests for private claims in the payload (#​555) (5147852896755dc1291825e2e40556f964411fb2), closes #​555
• Force use_strict during testing (#​577) (7b60c127ceade36c33ff33be066e435802001c94), closes #​577
• Refactor tests related to jti and jwtid (#​544) (7eebbc75ab89e01af5dacf2aae90fe05a13a1454), closes #​544
• ci: remove nsp from tests (#​569) (da8f55c3c7b4dd0bfc07a2df228500fdd050242a), closes #​569

Docs

• Fix 'cert' token which isn't a cert (#​554) (0c24fe68cd2866cea6322016bf993cd897fefc98), closes #​554

v8.4.0

Compare Source

New Functionality

• Add verify option for nonce validation (#​540) (e7938f06fdf2ed3aa88745b72b8ae4ee66c2d0d0), closes #​540

Bug Fixes

• Updating Node version in Engines spec in package.json (#​528) (cfd1079305170a897dee6a5f55039783e6ee2711), closes #​528 #​509
• Fixed error message when empty string passed as expiresIn or notBefore option (#​531) (7f9604ac98d4d0ff8d873c3d2b2ea64bd285cb76), closes #​531

Docs

• Update README.md (#​527) (b76f2a80f5229ee5cde321dd2ff14aa5df16d283), closes #​527
• Update README.md (#​538) (1956c4006472fd285b8a85074257cbdbe9131cbf), closes #​538
• Edited the README.md to make certain parts of the document for the api easier to read, emphasizing the examples. (#​548) (dc89a641293d42f72ecfc623ce2eabc33954cb9d), closes #​548
• Document NotBeforeError (#​529) (29cd654b956529e939ae8f8c30b9da7063aad501), closes #​529

Test Improvements

• Use lolex for faking date in tests (#​491) (677ead6d64482f2067b11437dda07309abe73cfa), closes #​491
• Update dependencies used for running tests (#​518) (5498bdc4865ffb2ba2fd44d889fad7e83873bb33), closes #​518
• Minor test refactoring for recently added tests (#​504) (e2860a9d2a412627d79741a95bc7159971b923b9), closes #​504
• Create and implement async/sync test helpers (#​523) (683d8a9b31ad6327948f84268bd2c8e4350779d1), closes #​523
• Refactor tests related to audience and aud (#​503) (53d405e0223cce7c83cb51ecf290ca6bec1e9679), closes #​503
• Refactor tests related to expiresIn and exp (#​501) (72f0d9e5b11a99082250665d1200c58182903fa6), closes #​501
• Refactor tests related to iat and maxAge (#​507) (877bd57ab2aca9b7d230805b21f921baed3da169), closes #​507
• Refactor tests related to iss and issuer (#​543) (0906a3fa80f52f959ac1b6343d3024ce5c7e9dea), closes #​543
• Refactor tests related to kid and keyid (#​545) (88645427a0adb420bd3e149199a2a6bf1e17277e), closes #​545
• Refactor tests related to notBefore and nbf (#​497) (39adf87a6faef3df984140f88e6724ddd709fd89), closes #​497
• Refactor tests related to subject and sub (#​505) (5a7fa23c0b4ac6c25304dab8767ef840b43a0eca), closes #​505
• Implement async/sync tests for exp claim (#​536) (9ae3f207ac64b7450ea0a3434418f5ca58d8125e), closes #​536
• Implement async/sync tests for nbf claim (#​537) (88bc965061ed65299a395f42a100fb8f8c3c683e), closes #​537
• Implement async/sync tests for sub claim (#​534) (342b07bb105a35739eb91265ba5b9dd33c300fc6), closes #​534
• Implement async/sync tests for the aud claim (#​535) (1c8ff5a68e6da73af2809c9d87faaf78602c99bb), closes #​535

CI

• Added Istanbul to check test-coverage (#​468) (9676a8306428a045e34c3987bd0680fb952b44e3), closes #​468
• Complete ESLint conversion and cleanup (#​490) (cb1d2e1e40547f7ecf29fa6635041df6cbba7f40), closes #​490
• Make code-coverage mandatory when running tests (#​495) (fb0084a78535bfea8d0087c0870e7e3614a2cbe5), closes #​495

v8.3.0

Compare Source

• docs: add some clarifications (#​473) (cd33cc81f06068b9df6c224d300dc6f70d8904ab), closes #​473
• ci: fix ci execution, remove not needed script (#​472) (c8ff7b2c3ffcd954a64a0273c20a7d1b22339aa5), closes #​472
• new feature: Secret callback revisited (#​480) (d01cc7bcbdeb606d997a580f967b3169fcc622ba), closes #​480
• docs:Update README.md (#​461) (f0e0954505f274da95a8d9603598e455b4d2c894), closes #​461

v8.2.2

Compare Source

• security: deps: jws@​3.1.5 (#​477) (ebde9b7cc75cb7ab5176de7ebc4a1d6a8f05bd51), closes #​465
• docs: add some clarifications (#​473) (cd33cc81f06068b9df6c224d300dc6f70d8904ab), closes #​473
• ci: fix ci execution, remove not needed script (#​472) (c8ff7b2c3ffcd954a64a0273c20a7d1b22339aa5), closes #​472
• docs: Update README.md (#​461) (f0e0954505f274da95a8d9603598e455b4d2c894), closes #​461

v8.2.1

Compare Source

• bug fix: Check payload is not null when decoded. (#​444) (1232ae9352ce5fd1ca6c593291ce6ad0834a1ff5)
• docs: Clarify that buffer/string payloads must be JSON (#​442) (e8ac1be7565a3fd986d40cb5e31a9f6c4d9aed1b)

v8.2.0

Compare Source

• Add a new mutatePayload option (#​446) (d6d7c5e5103f05a92d3633ac190d3025a0455be0)

v8.1.1

Compare Source

• ci: add newer node versions to build matrix (#​428) (83f3eee44e122da06f812d7da4ace1fa26c24d9d)
• deps: Bump ms version to add support for negative numbers (#​438) (25e0e624545eaef76f3c324a134bf103bc394724)
• docs: Minor typo (#​424) (dddcb73ac05de11b81feeb629f6cf78dd03d2047)
• bug fix: Not Before (nbf) calculated based on iat/timestamp (#​437) (2764a64908d97c043d62eba0bf6c600674f9a6d6), closes #​435

v8.1.0

Compare Source

• #​402: Don't fail if captureStackTrace is not a function (#​410) (77ee965d9081faaf21650f266399f203f69533c5)
• #​403: Clarify error wording for "Expected object" error. (#​409) (bb27eb346f0ff675a320b2de16b391a7cfeadc58)
• Enhance audience check to verify against regular expressions (#​398) (81501a17da230af7b74a3f7535ab5cd3a19c8315)

v8.0.1

Compare Source

• Remove lodash.isarray dependency (#​394) (7508e8957cb1c778f72fa9a363a7b135b3c9c36d)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.